Article

Rick McElroy
Rick McElroy 8 January 2018
Categories Technology

The five questions every CEO should be asking their business about risk management in 2018

Is there a CEO on the planet that doesn’t have security high on their agenda at the start of 2018? If it isn't, asking these 5 questions will help you create an environment of proactive and positive risk management, and will help you develop a more resilient business.

I don’t believe there is a CEO on the planet that doesn’t have security high on their agenda at the start of 2018. The combination of escalating cyberattacks and new privacy legislation means that CEOs are being held accountable for the resilience of their organisation and the safety of their customer’s data like never before. This is undoubtedly a good thing: as CEO you set the culture of an organisation through your leadership and the priorities that you communicate to management teams. While we don’t expect CEOs to be on the front line of network monitoring and response, we do need them to be setting the culture and expectations under which those who are on the front line operate. These are the questions that CEOs should be asking their teams that will create an environment of proactive and positive risk management. Regularly asking and answering these will lead to a more resilient company that can manage risk for competitive advantage.

The number one question is: How are we managing risk? What’s the structure of the team?

Asking this question should allow you to understand the overall structure and maturity of risk management in your organisation. Your team should be able to briefly and succinctly identify the following when asked:

Who is actually responsible for managing and accepting risk in the organisation?

Do you have someone responsible for Risk Management? Is there someone responsible for Information Security? Is someone responsible for compliance? Is this decentralised or centralised? How many staff members are dedicated to managing risk?

Your team should be able to confidently describe how the overall programme is managed and organised. They should know the chain of command and escalation thresholds and have strong communication channels.

Ensuring the security and compliance of business partners and suppliers is an increasingly critical aspect of due diligence for customers, so bonus points for organisations who have their risk management structure documented and ready to give to external auditors or customers who may ask. This should exist and be ready to go at any moment – it should not require a long data gathering exercise.

Question two: What is our risk tolerance?

CEOs and boards should drive the acceptable level of risk tolerance for an organisation. Of course, in an ideal world, we would have zero tolerance for risk, but last time I checked this world was far from ideal, so in reality:

“Risk tolerance is defined as the level of risk or degree of uncertainty that is acceptable to organisations and is a key element of the organisational risk frame. An organisation’s risk tolerance level is the amount of corporate data and systems that can be risked to an acceptable level. Having a defined risk tolerance level means the security programme knows the degree that management requires the organisation to be protected against the threats they face.”

Giving tolerance guidance to your team will ensure they align to your strategic plan and allow them intelligently to drive risk to an appropriate level.

Question three: When is risk being considered?

Is it baked into the upstream decision-making process or is it considered throughout the life cycle of the business? Your team should help you understand where risk decisions are being made in the business cycle and whether or not the defences are commensurate with the risk. This will also speak to the maturity of your risk management programme: as your programme matures managing risk will become an inherent element of strategic and operational business planning, rather than a bolt-on.

Question four: Where is the current list of risks and what is on it?

Risks come in all shapes and forms. Some risks are really business opportunities waiting to be realised. The organisation that can manage risk well will not only do a better job protecting itself from cyber threats (and indeed threats of all kinds) but will also give itself a long term competitive advantage. As the saying goes: “no one ever succeeded in business without taking risks.”  Just because it’s a risk does not make it inherently a bad thing.

For most organisations risks will fall into one or more of the following categories: Compliance/Regulatory Risks; Security Risks; Financial Risks; Privacy Risks; Industry and Competitive Risks and Management Risks.

Knowing where to get information about the level, severity and exposure to all these types of risk when needed is crucial to making risk-based decisions. Organisations with a mature risk management posture are now utilising online dashboards updated in real time based on downstream risk data to inform their decision-making and keep them ahead of the curve.

Question five: How are risks being managed and communicated? What’s the cadence of meetings?

This final piece is about culture and will allow you, as the CEO, to understand whether your organisation embraces open and transparent risk discussions or whether there are still unknown risks which are not being identified, communicated or managed appropriately. This will also ensure risk discussions are positive and ongoing and that they occur at the appropriate time frames for your organisation.

As CEO, regularly asking these questions of your management teams will ensure that you set a culture of proactive, transparent and competitive risk management within your organisation. In today’s threat-intensive, privacy-oriented landscape it’s a core responsibility for all CEOs that, done well, will foster business resilience and a competitive edge.

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
Digital Marketing Vs. Traditional Marketing: Which One Is Better?

Digital Marketing Vs. Traditional Marketing: Which One Is Better?

What's the difference between digital marketing and traditional marketing, and why does it matter? The answers may surprise you.

Julie Cave
Julie Cave 14 July 2016
Read more
Top 10 B2B Platforms to Help your Business Grow Worldwide

Top 10 B2B Platforms to Help your Business Grow Worldwide

Although the trend of a Business to Business portal is not new but the evolution of technology has indeed changed the way they function. Additional digital trading features and branding has taken the place of...

Salman Sharif
Salman Sharif 7 July 2017
Read more
Collection Of The Best Email Testing Tools Online

Collection Of The Best Email Testing Tools Online

Don’t be afraid of email testing. There are many free or freemium tools online that can help you with testing your SPAM score, deliverability and even the rendering of your email. We feature 30 email testing tools in...

Roland Pokornyik
Roland Pokornyik 31 October 2016
Read more
7 reasons why social media marketing is important for your business

7 reasons why social media marketing is important for your business

Social media is quickly becoming one of the most important aspects of digital marketing, which provides incredible benefits that help reach millions of customers worldwide. And if you are not applying this profitable...

Sharron Nelson
Sharron Nelson 6 February 2018
Read more
4 Important Digital Marketing Channels You Should Know About

4 Important Digital Marketing Channels You Should Know About

It goes without saying that a company can't do without digital marketing in today's world.

Digital Doughnut Contributor
Digital Doughnut Contributor 5 November 2014
Read more